- Apr 26, 2003
- 2,239
- 6
- 81
I'm wondering if anyone here could help me out here. Ive got a 2003 Server as an active Domain Controller in our forest. We have a forwarder on this box forwarding log events to Splunk. I noticed that in Splunk i was not getting ANY Audit Failures, even when i tried to create them on purpose. Looking directly at the domain controller's Security Log, it also shows NOTHING but Success Audits. Confused, i went into active directory users and computers, right clicked on the top level of the domain, clicked properties, went to Windows Settings -> Security Settings -> Local Policies -> Audit Policy. There, Audit account logon events is set to Success, Failure. I was thinking maybe ONLY Success would have been checked, peventing the failures from showing, but its not, it IS set to audit both. So failures should at least show up. They do not, even when trying to access the box DIRECTLY from the console, attempt a log in, type the wrong password, NOTHING shows in the log. Not a single peep about the fact someone just failed to log in.
Am I missing something here? Am I in the wrong place to edit the policy properly? All research I've done shows that I am, and when i view thier videos or screen shots in thier examples, the failure audits happily populate into the log. On mine, Success, Success, Success, as far as the eye can see.
Halp!
Am I missing something here? Am I in the wrong place to edit the policy properly? All research I've done shows that I am, and when i view thier videos or screen shots in thier examples, the failure audits happily populate into the log. On mine, Success, Success, Success, as far as the eye can see.
Halp!